Stolen TRICARE health records did not meet federal encryption standards

Computer tapes containing health care information on 4.9 million TRICARE beneficiaries stolen from the car of a Science Applications International Corp. employee in San Antonio, Texas, earlier this month were not encrypted in compliance with federal standards, SAIC said.

The Texas TRICARE data theft is the largest health data breach since February 2010, when the Health and Human Services Department began requiring health care organizations to post on a website breaches of health information affecting more than 500 people.

Vernon Guidry, an SAIC spokesman, said in a statement that "some personal information was encrypted prior to being backed up on the tapes." But, he added, "the operating system used by the government facility to perform the backup onto the tape was not capable of encrypting data in a manner that was compliant with the relevant federal standard."

That facility, which Guidry did not identify, "was seeking a compliant encryption solution that would work with the operating system when the backup tapes were taken."

The Health Information Technology for Economic and Clinical Health Act, part of the 2009 American Recovery and Reinvestment Act, requires health care organizations to ensure that patient information in health records is unusable, unreadable, or indecipherable to unauthorized individuals. In August 2009, HHS published an interim rule requiring either encryption or destruction to ensure the security of health records.

That rule cites guidelines developed by the National Institute of Standards and Technology that say federal agencies should encrypt data using the Advanced Encryption Standard, developed by NIST and adopted as a federal standard in 2002.

TRICARE did not respond to queries from Nextgov about the data theft. It is unclear what kind of encryption was used in San Antonio and why it did not adhere to federal standards.

HITECH also requires health care organizations to conduct risk assessments of the security of patient data, and Sean Glynn, marketing vice president for Credant Technologies, a data security firm in Addison, Texas, said such assessments should focus on physical as well as cybersecurity.

Referring to the San Antonio data theft, Glynn said he was surprised that a computer tape containing millions of health records was left in an SAIC employee's vehicle for an entire work day. Glynn said he would suggest using an armored car to transport such a large amount of sensitive data.

Credant provides technology to ensure that backups of health care information cannot be performed without automatic encryption, ensuring enforcement of encryption policies.

Roughly 60 percent of the data breaches posted on the HHS website since 2010 involve the theft or loss of laptops or magnetic media such as thumb drives. Glynn said this indicates that the security of health information is a human issue that requires training and strict enforcement of security policies.